# prevent the automatic loading of line disciplines
# https://lore.kernel.org/patchwork/patch/1034150
dev.tty.ldisc_autoload=0

# additional protections for fifos, hardlinks, regular files, and symlinks
fs.protected_fifos=2
fs.protected_hardlinks=1
fs.protected_regular=2
fs.protected_symlinks=1

# prevent unprivileged users from viewing the dmesg buffer
kernel.dmesg_restrict=1

# disable the kexec system call (can be used to replace the running kernel)
# https://lwn.net/Articles/580269
kernel.kexec_load_disabled=1

# impose restrictions on exposing kernel pointers
# https://lwn.net/Articles/420403
kernel.kptr_restrict=2

# restrict use of the performance events system by unprivileged users
# https://lwn.net/Articles/696216
kernel.perf_event_paranoid=3

# harden the BPF JIT compiler and restrict unprivileged use of BPF
# https://www.zerodayinitiative.com/advisories/ZDI-20-350
# https://lwn.net/Articles/660331
net.core.bpf_jit_harden=2
kernel.unprivileged_bpf_disabled=1

# disable unprivileged user namespaces
# https://lwn.net/Articles/673597
kernel.unprivileged_userns_clone=0

# reverse path filtering to prevent some ip spoofing attacks
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

# disable icmp redirects and RFC1620 shared media redirects
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.shared_media=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

# disallow source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0

# Log martian packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

# ignore pings sent to a broadcast address (common for smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts=1

# ignore bogus icmp error responses
net.ipv4.icmp_ignore_bogus_error_responses=1

# protect against time-wait assassination hazards in tcp
# https://tools.ietf.org/html/rfc1337
net.ipv4.tcp_rfc1337=1

# selective tcp acks have resulted in remotely exploitable crashes
# https://lwn.net/Articles/791409
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0

# disable tcp timestamps to avoid leaking some system information
# https://www.whonix.org/wiki/Disable_TCP_and_ICMP_Timestamps
net.ipv4.tcp_timestamps=0

# increase aslr effectiveness for mmap
# https://lwn.net/Articles/667790
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16

# ignore icmp echo requests
# uncomment if this system doesn't need to respond to pings
net.ipv4.icmp_echo_ignore_all=1

# disable creation of ipv6 addresses on network interfaces
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

fs.suid_dumpable=0
kernel.sysrq=0
